Scribd
Upload
511 views25 pages

Open Source OTP for IT Security Experts

The document discusses creating one-time password (OTP) infrastructures using open source software. It describes the HMAC-based one-time password (HOTP) algorithm, which provides a common protocol for OTP tokens to enable interoperability. It outlines some open source implementations of OTP servers and clients that can be used, including the OTPD server software and clients for Java and iPhone. It provides an example scenario of using these open source OTP and RADIUS components for centralized authentication of UNIX login, a web application, and wireless access.

Uploaded by

Goran Zdravkov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
511 views25 pages

Open Source OTP for IT Security Experts

The document discusses creating one-time password (OTP) infrastructures using open source software. It describes the HMAC-based one-time password (HOTP) algorithm, which provides a common protocol for OTP tokens to enable interoperability. It outlines some open source implementations of OTP servers and clients that can be used, including the OTPD server software and clients for Java and iPhone. It provides an example scenario of using these open source OTP and RADIUS components for centralized authentication of UNIX login, a web application, and wireless access.

Uploaded by

Goran Zdravkov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Creating One Time Password (OTP)

infrastructures using
Open Source sofware

Giuseppe Gippa Patern


Visiting Researcher
Trinity College Dublin

Filte
(welcome)

Who am I

Visiting Researcher at Trinity College Dublin (Ireland)

Solution Architect and EMEA Security Expert in Red Hat

Previously Security Solution Architect in Sun and also in IBM

Red Hat Certified Security Specialist (RHCSS), Red Hat Certified


Architect (RHCA) and Cisco Certified Network Professinal (CCNP)

Part of the italian security community sikurezza.org

Published books and whitepapers

Forensic analisys for local govs

More on:

http://www.scss.tcd.ie/Giuseppe.Paterno/

http://www.gpaterno.com/

http://www.linkedin.com/in/gpaterno

Global IT scenario

Even more in this recession phase, the IT budget


is getting lower and lower
The projects (demand) are increasing with
significantly less money available

Lowering TCO
"The economic crisis is going to be a catalyst for
open source, much like the technology crash of
2001 catapulted Linux front and center"
Laurie Wurster, a Gartner analyst.

The adoption of Open Source


software can lower the TCO
and increase your security!

How Open Source


can increase
Security?

Open Source = Open Standards = Choice

The OATH Alliance

The Initiative for Open Authentication (OATH)

Open alliance of vendors

ActiveIdentity, Vasco, Gemalto, Aladdin, ...

http://www.openauthentication.org/
Created a common algorithm for one time password
tokens (HOTP)

A common protocol for the interoperability of the


several impementations available

What is HOTP

An HMAC-Based One-Time Password Algorithm


(HOTP)
A common shared algorithm that is meant to
facilitate the adoption of two-factor
authentication

Alogorithm published as RFC 4226

The complete standard on:

http://www.rfc-editor.org/

HOTP: Internals
The algorithm is:
HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))
K

Shared key between client and server

8-byte counter value syncronized between client


and server

Truncate()

Perform a dynamic truncation and reduction of


the string to extract a 4-byte dynamic binary
code.
The result must extract minimum a 6-digit code,
but also 7 and 8-digit code

Anathomy of HOTP

The shared key between the OTP peers (token


and authenticator) is an hexadecimal string

The lenght is a SHA-1 digest

Example of generating a new HMAC 6-digit


shared key:
dd if=/dev/random bs=4096 count=1 2>/dev/null |
sha1sum | awk '{print $1}'

HOTP implementations

Both commercial and open source


implementations available
Most of the hardware tokens adhere to the HOTP
algorithm
Few software implementations, most of which
proprietary/closed source
Some software client available:

J2ME, iPhone and Windows Mobile

Publically available algorithm makes it simple to


implement a client

How does it fit all together?

The software

An open source OTP server:

Only one server implementation available


(OTPD), formelly from TRI-D Systems

Now I made it available on


http://otpd.googlecode.com

FreeRADIUS, the popular radius server for Linux

Two tested freely available client:

oathdsss.jar (DSSS) for Java MIDP (Nokia)

iToken (Quest Software) for iPhone

OTPD server

It handle the validation of the One Time


Passwords

Uses files and LDAP as repository

Keeps the state of the OTP token (counter)

Supported tokens:

HOTP

CRYPTOCard

Plain old x9.9 (based on DES, unsecure!)

It listen to autentication requests

FreeRADIUS

Well known high-performance open source


RADIUS server

Handle authentication and accounting

Plug-in based

One of the plug-in is rlm_otpd

Developed by TRI-D Systems

Communicate via Unix sockets with the OTPD


server to verify an OTP token

The soft-token

An OTP token in software

Less secure than an hardware

What if my laptop is stolen?

A compromise is using a softtoken on a mobile platform

Easy to manage

Lower costs

Better security over a fat


client on laptops/desktops

Available for most mobile


phones

What can I authenticate?

Any RADIUS compliant system, ex:

VPN systems

Wireless LANs

Routers/network equipments

Core UNIX systems (through pam_radius)

Captive portals

Any application can use the RADIUS protocol:

common APIs available in C, PHP, Python, Ruby,


Java (J2EE)

Enteprise scenario

Demo scenario

Authentication server:

OTP Server

FreeRADIUS Server

Client UNIX

Web application (PHP)

Centralized Web Single Sign-On (CAS)

Demo (the clients)

Client Unix

Interactive log-in

Leverage the pam_radius module

Web Single Sign-On

Based on Yale CAS

Customized to login through RADIUS

PHP web application

Dummy application to demonstrate CAS' capabilities


with OTP integration

Virtually every application can leverage CAS


architecture

Demo scenario (big picture)

Interactive log-in
OTP/Radius Server
Authentication
Request
(RADIUS)

Log-on
request

Web Application
OTP/Radius Server

Redirect to
CAS' Single
Sign-on Portal
Authentication
Request
(RADIUS)

Web Access

Demo now!

Thank you!!
Giuseppe Gippa Patern
Visiting Researcher
Trinity College Dublin
paternog@cs.tcd.ie
http://www.scss.tcd.ie/Giuseppe.Paterno/
http://www.gpaterno.com/

You might also like